The issue affects all versions since Java SE 6 update 10. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

But you would have to have somehow get a 'bad VM' on the target system in order to make this work. Since people (smart people anyway) don't surf the web from their server boxes, the hacker would have to have some way to get the poisoned VM on the server. And I guess I'm not clear how Java Web Start would be started on a server.

Thanks for answering that. The other question I have is how is WebStart being invoked on servers? We have such strict control over what can be deployed on our servers. I can't imagine someone using Java WebStart to download Java to run on a server. I might just be missing something about this.

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations technology projects - with its network of technology-specific websites, events and online magazines.